It all started with this cartoon:
This cartoon basically started a hype about how XKCD was getting “it”. Jason posted a blog post stating that he did not agree with XKCD since:
- While four words in theory have 44 bits of entropy (244), it is actually 250,000 to the power of 4 (250,0004) since English only has 4about 250,000 words
- Most people actually would use three words, giving 15,625,000,000,000,000 combinations
- Most people know even less then 250,000 words
So what is my take on this? The key to “it” is at the bottom of the cartoon:
“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess”
This is really the “it” XKCD does get.
So why do we use password policies in the first place? What problem are we trying to tackle?
First of all we are trying to tackle the problem that users are very bad a picking good password without guidance. This tweet illustrates that:
If you don’t give users guidance they will often pick from a set of very well known passwords. But more recent research shows that since the average person has over 50 passwords, some with and some without password policy on it, most people need a coping strategy to deal with this.
In my talk “The Road to Hell is paved with best practices” I give this example of likely passwords for a certain password policy:
- 7 characters: welcome
- 7 characters + 1 capital: Welcome
- 7 characters + 1 capital + 1 numeral: W3lc0m3
- 7 characters + 1 capital + 1 numeral + 1 special: W3lc0m3!
- 10 characters + 1 capital + 1 numeral + 1 special: W3lc0m3!!!
- 10 characters + 1 capital + 1 numeral + 1 special, 30 days max, cannot reuse last 12: Welcome01!, Welcome02!, Welcome03!, etc
As security people we need to understand that each security measure will alter peoples behaviour and sometimes not for the good.
Studies have shown that even if password policies are used, probabilistic techniques can be used to aid in password cracking attacks, that password expiry is only of limited use, that password expiry policies do not meet their goal.
Experiments with an online windows password cracker showed that “hard” passwords do not take longer to crack that “easy” passwords when rainbow tables are used:
- Empty password – 2 seconds
- 72@Fee4S@mura! – 5 seconds
- (689!!!<>”QTHp – 8 seconds
- *mZ?9%^jS743:! – 5 seconds
- T&p/E$v-O6,1@} – 11 seconds
So what is my opinion?
Security policies have driven people to the top of their ability to remember passwords and as users have got increasing amounts of passwords the behavior it induced did not improve matters. We need to tune some of these measures down and replace them with education.
Passwords should be:
- Relatively long
- Not guessable (correcthorsebatterystaple is not o.k. anymore thanks to XKCD)
- Your system should block guessing attempts or really slow them down
If hackers have you password hashes you are toast…